LLMResponse CM.L2-3.4.3.d
I'll help you evaluate how to best collect evidence for the assessment objective "[d] changes to the system are logged" within CM.L2-3.4.3. Based on the CMMC Level 2 Assessment Guide and your assessment approaches, I'll rank the evidence types and prioritize assessment approaches.
Evidence Types Ranking for "[d] changes to the system are logged"
1. **Artifacts (I1)** - Highest priority evidence type because it provides direct proof that changes are being logged:
- System-generated change logs - Audit logs showing configuration changes - Database records of change history - Version control system logs - Change management tool reports showing logged changes - System backup logs that capture pre and post-change states
2. **Screen Share (I4)** - Second most valuable evidence type for this objective:
- Live demonstration of how changes are captured in logs - Real-time viewing of change logging mechanisms - Display of historical change logs in systems - Showing how to query or extract change log information
3. **Documents (I2)** - Third most valuable evidence type:
- Configuration management policy that requires logging of changes - Procedures describing change logging requirements - System security plan sections addressing change logging - Log retention policies for change records - Change management plan describing logging processes
4. **Physical Review (I3)** - Lowest priority for this objective since logging is primarily digital:
- Physical access to logging servers or systems - Observation of automated logging processes - Physical storage of archived logs (if applicable)
Assessment Approach Prioritization
1. **Examine (C1)** - Primary approach because:
- It allows direct review of the actual change logs - You can verify complete and consistent logging practices - It demonstrates the integrity and retention of change logs - Key assessment objects: system audit logs and records, change control records, system configuration settings and associated documentation
2. **Test (C3)** - Second priority for this objective:
- Verify that all types of changes trigger appropriate logging - Test that logs capture required details (who, what, when, where) - Validate log integrity and retention capabilities - Key assessment objects: mechanisms that implement configuration change control
3. **Interview (C2)** - Third priority but still important:
- Helps understand logging configurations and practices - Reveals log management and protection measures - Identifies any potential gaps in logging coverage - Key personnel: system or network administrators, personnel with configuration change control responsibilities
Practical Implementation Strategy
For optimal assessment of "[d] changes to the system are logged":
1. Start by examining change logs:
- System audit logs showing configuration changes - Change management tool logs - Administrator activity logs - Look for completeness of information (date/time, user, action, before/after states)
2. Test the logging mechanisms by:
- Making a controlled change and verifying it's properly logged - Ensuring different types of changes (hardware, software, configuration) are logged - Checking that logs are protected from unauthorized modification - Verifying log retention meets policy requirements
3. Interview key personnel about:
- Log configuration and management - Log review processes - Log protection measures - Log retention policies and procedures
This comprehensive approach will provide strong evidence that your organization is meeting the requirement for logging changes to organizational systems, which is essential for CMMC Level 2 compliance.
When implementing this strategy, focus on demonstrating that the logs: - Capture all relevant changes - Include sufficient detail for accountability - Are protected from tampering - Are retained for an appropriate period - Can be retrieved when needed for investigation or audit